Turris OS 7.1.2 is rolling out!

Community office
, , ,
1

Dear Turris users,

we just released Turris OS 7.1.2 into the wild. We fixed an issue in nor-update that could break your setup and we also added proper dependencies to miniupnpd so it should now install the correct variant of the daemon. It also contains new version of reForis that polishes the UI even more.

Full release notes are as follows:

:pushpin: Updates

  • reForis: Update to version 3.2.0

:bug: Bug Fixes

  • miniupnpd: Fix dependencies on firewall
  • uboot-tools: More robust handling of U-Boot during update
  • user-notify: Adjust notification to to make them less likely to end up in spam

As it is a small release, it should arrive to your routers within next three days.

6 Likes
3

TO 2016, HBS branch, 2 GB, 2x WiFi, HaaS, RIPE Atlas, Sentinel, lxc, SSD (logs etc), simple config, all seems OK.

(Reboot was not required, rebooted anyhow.)

4

Updated to 7.1.2 (received immediately, lucky me :slight_smile: )

Firewall is still not completely happy, it seems. Here’s the deets:

firewall reload log

Section @zone[1] (wan) specifies unknown option ‘sentinel_dynfw’
Section @zone[1] (wan) specifies unknown option ‘sentinel_fwlogs’
Section @zone[1] (wan) specifies unknown option ‘sentinel_minipot’
Section @zone[1] (wan) specifies unknown option ‘haas_proxy’
Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires ‘option fw4_compatible 1’ to be considered compatible
Section miniupnpd option ‘family’ is not supported by fw4
Section miniupnpd option ‘reload’ is not supported by fw4
Section miniupnpd specifies unreachable path ‘/usr/share/miniupnpd/firewall.include’, ignoring section
Section @include[3] option ‘reload’ is not supported by fw4

  • Checking for currently setup Sentinel rules
  • Dynamic blocking on zone ‘wan’
  • Logging of zone ‘wan’
  • Minipot FTP on zone ‘wan’ (21 → 2133)
  • Minipot HTTP on zone ‘wan’ (80 → 8033)
  • Minipot SMTP on zone ‘wan’ (25 → 5873)
  • Minipot SMTP submission on zone ‘wan’ (587 → 5873)
  • Minipot Telnet on zone ‘wan’ (23 → 2333)
  • HaaS proxy on zone ‘wan’ (22 → 2525)

and here’s what the /etc/config/firewall looks like

firewall config

config defaults
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘REJECT’
option synflood_protect ‘1’

config zone
option name ‘lan’
list network ‘lan’
option input ‘ACCEPT’
option output ‘ACCEPT’
option forward ‘ACCEPT’

config zone
option name ‘wan’
list network ‘wan’
list network ‘wan6’
option input ‘REJECT’
option output ‘ACCEPT’
option forward ‘REJECT’
option masq ‘1’
option mtu_fix ‘1’
option sentinel_dynfw ‘1’
option sentinel_fwlogs ‘1’
option sentinel_minipot ‘1’
option haas_proxy ‘1’

config forwarding
option src ‘lan’
option dest ‘wan’

config rule
option name ‘Allow-DHCP-Renew’
option src ‘wan’
option proto ‘udp’
option dest_port ‘68’
option target ‘ACCEPT’
option family ‘ipv4’

config rule
option name ‘Allow-Ping’
option src ‘wan’
option proto ‘icmp’
option icmp_type ‘echo-request’
option family ‘ipv4’
option target ‘ACCEPT’

config rule
option name ‘Allow-IGMP’
option src ‘wan’
option proto ‘igmp’
option family ‘ipv4’
option target ‘ACCEPT’

config rule
option name ‘Allow-DHCPv6’
option src ‘wan’
option proto ‘udp’
option dest_port ‘546’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-MLD’
option src ‘wan’
option proto ‘icmp’
option src_ip ‘fe80::/10’
list icmp_type ‘130/0’
list icmp_type ‘131/0’
list icmp_type ‘132/0’
list icmp_type ‘143/0’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-ICMPv6-Input’
option src ‘wan’
option proto ‘icmp’
list icmp_type ‘echo-request’
list icmp_type ‘echo-reply’
list icmp_type ‘destination-unreachable’
list icmp_type ‘packet-too-big’
list icmp_type ‘time-exceeded’
list icmp_type ‘bad-header’
list icmp_type ‘unknown-header-type’
list icmp_type ‘router-solicitation’
list icmp_type ‘neighbour-solicitation’
list icmp_type ‘router-advertisement’
list icmp_type ‘neighbour-advertisement’
option limit ‘1000/sec’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-ICMPv6-Forward’
option src ‘wan’
option dest ‘*’
option proto ‘icmp’
list icmp_type ‘echo-request’
list icmp_type ‘echo-reply’
list icmp_type ‘destination-unreachable’
list icmp_type ‘packet-too-big’
list icmp_type ‘time-exceeded’
list icmp_type ‘bad-header’
list icmp_type ‘unknown-header-type’
option limit ‘1000/sec’
option family ‘ipv6’
option target ‘ACCEPT’

config rule
option name ‘Allow-IPSec-ESP’
option src ‘wan’
option dest ‘lan’
option proto ‘esp’
option target ‘ACCEPT’

config rule
option name ‘Allow-ISAKMP’
option src ‘wan’
option dest ‘lan’
option dest_port ‘500’
option proto ‘udp’
option target ‘ACCEPT’

config rule
option name ‘Support-UDP-Traceroute’
option src ‘wan’
option dest_port ‘33434:33689’
option proto ‘udp’
option family ‘ipv4’
option target ‘REJECT’
option enabled ‘0’

config include
option path ‘/etc/firewall.user’

config zone ‘guest_turris’
option input ‘REJECT’
option forward ‘REJECT’
option output ‘ACCEPT’
option enabled ‘1’
list network ‘guest_turris’
option name ‘tr_guest’

config forwarding ‘guest_turris_forward_wan’
option name ‘guest to wan forward’
option dest ‘wan’
option enabled ‘1’
option src ‘tr_guest’

config rule ‘guest_turris_dns_rule’
option name ‘guest dns rule’
option proto ‘tcpudp’
option dest_port ‘53’
option target ‘ACCEPT’
option src ‘tr_guest’

config rule ‘guest_turris_dhcp_rule’
option name ‘guest dhcp rule’
option proto ‘udp’
option src_port ‘67-68’
option dest_port ‘67-68’
option target ‘ACCEPT’
option src ‘tr_guest’

config rule ‘wan_ssh_turris_rule’
option name ‘wan_ssh_turris_rule’
option target ‘ACCEPT’
option dest_port ‘22’
option proto ‘tcp’
option src ‘wan’
option enabled ‘0’

config rule ‘wan_http_turris_rule’
option name ‘wan_http_turris_rule’
option target ‘ACCEPT’
option dest_port ‘80’
option proto ‘tcp’
option src ‘wan’
option enabled ‘0’

config rule ‘wan_https_turris_rule’
option name ‘wan_https_turris_rule’
option target ‘ACCEPT’
option dest_port ‘443’
option proto ‘tcp’
option src ‘wan’
option enabled ‘0’

config rule ‘turris_wan_6in4_rule’
option family ‘ipv4’
option proto ‘41’
option target ‘ACCEPT’
option src ‘wan’
option src_ip ‘1.1.1.1’

config redirect
option dest_port ‘22’
option src ‘wan’
option name ‘SSH redirect’
option src_dport ‘122’
option target ‘DNAT’
option dest ‘lan’
list proto ‘tcp’
option enabled ‘0’

config zone ‘vpn_turris’
option enabled ‘1’
option name ‘vpn_turris’
option input ‘ACCEPT’
option forward ‘REJECT’
option output ‘ACCEPT’
option masq ‘1’
list network ‘vpn_turris’

config rule ‘vpn_turris_rule’
option name ‘vpn_turris_rule’
option target ‘ACCEPT’
option proto ‘udp’
option src ‘wan’
option dest_port ‘1194’

config forwarding ‘vpn_turris_forward_lan_in’
option enabled ‘1’
option src ‘vpn_turris’
option dest ‘lan’

config forwarding ‘vpn_turris_forward_lan_out’
option enabled ‘1’
option src ‘lan’
option dest ‘vpn_turris’

config forwarding ‘vpn_turris_forward_wan_out’
option enabled ‘1’
option src ‘vpn_turris’
option dest ‘wan’

config zone ‘turris_vpn_client’
option name ‘tr_vpn_cl’
option input ‘REJECT’
option output ‘ACCEPT’
option forward ‘REJECT’
option masq ‘1’

config forwarding ‘turris_vpn_client_forward’
option src ‘lan’
option dest ‘tr_vpn_cl’

config include ‘miniupnpd’
option type ‘script’
option path ‘/usr/share/miniupnpd/firewall.include’
option family ‘any’
option reload ‘1’

config include ‘bcp38’
option type ‘script’
option path ‘/usr/lib/bcp38/run.sh’

config include
option path ‘/etc/firewall.fail2ban’
option enabled ‘1’
option reload ‘1’

config include ‘sentinel_firewall’
option type ‘script’
option path ‘/usr/libexec/sentinel/firewall.sh’

5

nechci to zakƙiknout, ale uPNP se zdĂĄ bĂœt OK, jen upgrade jsem musel pƙes Putty, reForris hraje nějakĂĄ divadla, “nelze instalovat”
|Zaƙízení|Turris Omnia|
|SĂ©riovĂ© číslo|x|
|Verze reForisu|3.2.0|
|Verze Turris OS|7.1.2|
|Větev Turris OS|

HBS

Verze kernelu 5.15.148

1 Like
6

Updated from 7.0.3, can no longer reach devices over IPv6 from outside. Timeout. Traffic rules still in place.

Rolled back to 7.0.3, issue persists. Back to 7.1.2, still no connectivity. Please help.

I cannot even ping any of my devices from outside.

Rolled back to an older (cron) 7.0.3 snapshot. Still broken. How is it possible that it’s broken even with an older snapshot?

Disabling the traffic rule → Connection refused
Enabling the traffic rule → Timeout

There should not be a timeout with the enabled rule.

1 Like
7

All my Proxmox containers lost IPv6 connectivity. The addresses were no longer reachable. Had to restart all of them. Why?

Also, DNS stopped working all across my network. Why? Because after the Turris OS upgrade, there was a new DHCP option configured in Luci:

6,192.168.100.1/24

Which caused all my devices to grab this address for their resolv.conf:

24.192.168.100

What the hell? I have never created such an entry. What is happening here? What more peculiar behavior am I about to experience with this - of course well tested - update?

2 Likes
8

I used pkgupdate to upgrade on my Turris Omnia 2 GiB RAM as I prefer to see on the command line output what exactly is happening :slight_smile:. Seems to be working fine.

However I keep getting these like on other recent upgrades:

(../src/mod_openssl.c.3141) SSL:openssl library version is outdated and has reached end-of-life. As of 11 Sep 2023, only openssl 3.0.0 and later continue to receive security patches from openssl.org

Anything I should do about those messages? Or is it just waiting for a future update?

Thanks.

9

I think the 7.1 update borked my wifi - probably DHCP as I can still connect when using manually assigned IP address.
Rolling back did not fix either!

10

Check DHCP options in LuCi. Interfaces → LAN → Edit → DHCP Server → Advanced Settings.

Maybe there are some weird options set, see my earlier post.

2 Likes
11

Updated my Omnia manually from 7.0.3 using pkgupdate, no issues. All custom configurations kept and operational (VLANs, Tailscale, firewall rules, IPv6 via he.net).

Also updated the NOR firmware in a separate step, no issues.

Good work!

12
13

Wait for TOS 7.1.3. It will go into the test on Friday and will be released on Monday unless there are problems over the weekend.

2 Likes
14

I know nothing about Proxmox, but e.g. LXC containers also lose their connectivity if you do /etc/init.d/network restart. I think it is a known problem with no good solution so far. I guess rebooting the router would fix the issue, right?

15

I had this same issue after the upgrade.

I then remembered that this happened before, about two years ago (don’t remember which TOS version). At the time I was thinking it was my own mistake, even if I could not remember changing any configurations myself in the days before it appeared.

After seeing it again yesterday, it became clear to me, that it was probably the upgrade.

So that might be a bug or something looming in the upgrade scripts since quite some time, but probably needs specific circumstances to appear.

2 Likes
16

IPv6 issue was my fault. My new Zyxel switch sent out RA messages :dizzy_face: This has not been noticed for days until my Omnia was restarted. I opened a Turris ticket which is therefore obsolete. Sorry, my bad.

The DHCP option issue however seems to be a bug that needs to be addressed by Turris team, especially now as it has been confirmed by a second user.

17

You may want to check your config file /etc/config/dhcp last change timestamp - if it was the time of update? Also check if there is file like dhcp-opkg that is backup file reated by updater if it is going to make any change to the file, and compare those two.

18

Jak tu tak čtu ty problĂ©my tak asi počkĂĄm na dalĆĄĂ­ update s mĂœm modrakem :face_with_peeking_eye::grinning:

1 Like
19

Omnia 2020 no issues, restart wasn’t needed.

2GB, 2x WiFi, 1TB mSata SSD, VLANs, WireGuard, Samba, MiniDlna, AdBlock.

20

How does it looks with 7.1.3 please? :slight_smile: